Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of scanf() operation that permits buffer overflows (IN EXAMPLES) #7293

Closed
2 tasks done
jishanshaikh4 opened this issue Jun 23, 2021 · 5 comments
Closed
2 tasks done

Use of scanf() operation that permits buffer overflows (IN EXAMPLES) #7293

jishanshaikh4 opened this issue Jun 23, 2021 · 5 comments

Comments

@jishanshaikh4
Copy link
Task lists! Give feedback

@jishanshaikh4 jishanshaikh4 commented Jun 23, 2021

The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20).

LABEL: Bug
SEVERITY: Major
SOLUTION: Specify a limit to %s, or use a different input function.
COMMON WEAKNESS ENUMERATION INDEX: CWE-120, CWE-20
Instances found in the repo:

  • docs\examples\synctime.c:158

int RetVal = sscanf((char *)(ptr), "Date: %s %hu %s %hu %hu:%hu:%hu",

  • docs\examples\rtsp.c:176

sscanf(s, " a = control: %s", control);

@jishanshaikh4
Copy link
Author

@jishanshaikh4 jishanshaikh4 commented Jun 23, 2021

For the developers who used these examples as a reference to their work MUST change their sources to avoid this vulnerability.

@dfandrich
Copy link
Collaborator

@dfandrich dfandrich commented Jun 23, 2021

@jishanshaikh4
Copy link
Author

@jishanshaikh4 jishanshaikh4 commented Jun 23, 2021

The synctime.c case has a line immediately before the sscanf to avoid an overflow (the comment says "Can prevent buffer overflow") however, it's flawed in that it relies on undefined behaviour (how variables are assigned on the stack). That's probably not a security issue in real life, but ought to be fixed. The second one doesn't look like an issue to me at all. The input buffer size is limited to less than max_len in the read, which means that the result of sscanf will always be smaller than the buffer.

The comment asks the question "Can prevent buffer overflow to TmpStr1 & 2?" as it spans in two lines.

@dfandrich
Copy link
Collaborator

@dfandrich dfandrich commented Jun 23, 2021

@jishanshaikh4
Copy link
Author

@jishanshaikh4 jishanshaikh4 commented Jun 23, 2021

I'm not sure of the PR right now.

bagder added a commit that referenced this issue Jun 24, 2021
Reported-by: Jishan Shaikh
Fixes #7293
@bagder bagder closed this in 42db4cc Jun 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants